http://www.wired.com/news/technology/0,1282,54297,00.html
By Brian McWilliams
11:00 a.m. Aug. 2, 2002 PDT
When Patrick Mueller got a phone call Wednesday from a Hewlett-Packard
engineer looking for a program to test the security of his Web server,
alarm bells went off in his head.
"My first impression was that he was trying to trap us," said Mueller,
a security analyst with Neohapsis, a network and security consulting
group located in Chicago.
Under ordinary circumstances, the HP engineer's request for OpenSSL
"exploit code" would not have raised eyebrows. But earlier this week,
HP sent shock waves through the industry when it threatened a lawsuit
against Secure Network Operations (SnoSoft), a small security firm
based in Massachusetts.
In a novel legal argument, HP claimed SnoSoft violated the 1998
Digital Millennium Copyright Act when one of its researchers released
an exploit in mid-July that could give remote attackers control of
systems running HP's Tru64 Unix operating system. In a July 29 letter
to SnoSoft, HP warned that the incident exposed SnoSoft to potential
imprisonment and half a million dollars in fines.
HP's request for help from Neohapsis probably was spurred on by
Neohapsis being credited Tuesday with discovering a serious security
bug in OpenSSL, a popular open-source Internet application.
After warily conversing with the HP engineer, who identified himself
as Peter Bobco, a webmaster with the company's Compaq headquarters in
Houston, Mueller decided the request was legit and passed it on to his
boss.
"Sure, we've got an exploit for the OpenSSL bug, but no way are we
going to let it out, and definitely not to someone from HP," said Greg
Shipley, Neohapsisí chief technology officer.
Bobco declined a telephone interview with Wired News Thursday. An HP
spokesperson said the company was investigating the situation and had
no immediate comment.
By threatening SnoSoft with legal action, HP has awkwardly stepped
into the middle of the debate over what security professionals call
"full disclosure." At issue is what constitutes the responsible
handling of vulnerable information.
To SnoSoft co-founder Adriel T. Desautels, the bizarre timing of
Bobco's request for Neohapsis' OpenSSL exploit code was like a slap in
the face.
"I almost feel insulted by it. We offered to work with HP and help
them harden their systems in a big way. Yet HP refused our help. And
now they are out digging for exploit code?" Desautels said Thursday.
SnoSoft had been working privately with HP for several months on a
handful of Tru64 bug reports when a SnoSoft researcher without
authorization posted the exploit to the Bugtraq security mailing list,
according to Desautels.
In response to public outcry, HP appears to be backing away from its
legal threats. According to Desautels, SnoSoft held "positive" talks
with HP on Thursday that suggested the big computer maker will not
move ahead with legal action against SnoSoft.
An HP representative declined to comment on the SnoSoft discussions,
but did provide a statement that said the letter to SnoSoft "was not
consistent or indicative of HP's policy. We can say emphatically that
HP will not use the DMCA to stifle research or impede the flow of
information that would benefit our customers and improve their system
security."
According to Shipley, HP's attempt to make exploit code illegal could
seriously harm computer security.
"That's what exploit code is good for -- helping companies develop
fixes," said Shipley, who noted that Neohapsis only releases such
proof-of-concept programs to affected vendors and not to the public or
to researchers who privately request them.
Accepting demonstration code from bug finders appears to be standard
practice at HP. A page at the firm's site for reporting security
vulnerabilities in HP software provides instructions for submitting
exploits to the company.
In some instances, new exploits, also known as "zero-days," are also a
means by which security researchers can privately prod vendors who
deny vulnerabilities exist.
"When we told HP that we found (the bugs in Tru64 Unix), they didn't
take us seriously. Then we created some proof-of-concept-code, and
their attitude changed," said Desautels. He said SnoSoft's disclosure
policy generally gives vendors eight days to respond to a
vulnerability report before going public. In the case of HP, SnoSoft
agreed to a 45-day grace period, he said.
System administrators and software developers also rely on such
programs to test their applications for security flaws. A couple dozen
U.S. government and military sites have already downloaded the leaked
SnoSoft exploit, according to a log at the download site.
Mueller said the irony of Bobco's exploit request was not lost on the
HP engineer.
"He was sympathetic and said HP's handling of the whole SnoSoft thing
made HP look bad but he pointed out that HP was a big company and not
everyone feels the same way," Mueller said.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn'
in the BODY of the mail.